rbac: Use kubevirt-infra

The cluster-admin rol is needed on all (somehow) privileged pods. This I merged the kubevirt and kubevirt-admin ServiceAccounts into a single one (kubevirt-ifnra) which can be used by all kubevirt infrastructure components which require some privileges. Once KubeVirt becomes more stable we can make this more fine granular. Signed-off-by: Fabian Deutsch <[email protected]>
guangxuli · Sep 8, 2017 · 688a91f · 688a91f
1 parent a40a965
commit 688a91f
Show file tree

Hide file tree

Showing 7 changed files with 14 additions and 11 deletions.
diff --git a/manifests/haproxy.yaml.in b/manifests/haproxy.yaml.in
@@ -21,7 +21,7 @@ spec:
       labels:
         app: haproxy
     spec:
-      serviceAccountName: kubevirt-admin
+      serviceAccountName: kubevirt-infra
       containers:
       - name: haproxy
         image: {{ docker_prefix }}/haproxy:{{ docker_tag }}

diff --git a/manifests/iscsi-demo-target.yaml.in b/manifests/iscsi-demo-target.yaml.in
@@ -114,6 +114,7 @@ spec:
         app: iscsi-demo-target
       name: iscsi-demo-target-tgtd
     spec:
+      serviceAccountName: kubevirt-infra
       containers:
         - name: target
           image: {{ docker_prefix }}/iscsi-demo-target-tgtd:{{ docker_tag }}

diff --git a/manifests/libvirt.yaml.in b/manifests/libvirt.yaml.in
@@ -9,6 +9,7 @@ spec:
       labels:
         daemon: libvirt
     spec:
+      serviceAccountName: kubevirt-infra
       hostNetwork: true
       hostPID: true
       hostIPC: true

diff --git a/manifests/rbac.authorization.k8s.io.yaml.in b/manifests/rbac.authorization.k8s.io.yaml.in
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
-  name: kubevirt
+  name: kubevirt-infra
   labels:
     name: kubevirt
 rules:
@@ -42,7 +42,7 @@ rules:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: kubevirt
+  name: kubevirt-infra
   labels:
     name: kubevirt
 ---
@@ -56,29 +56,29 @@ metadata:
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: kubevirt
+  name: kubevirt-infra
   labels:
     name: kubevirt
 roleRef:
   kind: ClusterRole
-  name: kubevirt
+  name: kubevirt-infra
   apiGroup: rbac.authorization.k8s.io
 subjects:
   - kind: ServiceAccount
-    name: kubevirt
+    name: kubevirt-infra
     namespace: default
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: kubevirt-admin
+  name: kubevirt-infra-cluster-admin
   labels:
-    name: kubevirt-admin
+    name: kubevirt
 roleRef:
   kind: ClusterRole
   name: cluster-admin
   apiGroup: rbac.authorization.k8s.io
 subjects:
   - kind: ServiceAccount
-    name: kubevirt-admin
+    name: kubevirt-infra
     namespace: default
diff --git a/manifests/virt-api.yaml.in b/manifests/virt-api.yaml.in
@@ -21,7 +21,7 @@ spec:
       labels:
         app: virt-api
     spec:
-      serviceAccountName: kubevirt
+      serviceAccountName: kubevirt-infra
       containers:
       - name: virt-api
         image: {{ docker_prefix }}/virt-api:{{ docker_tag }}

diff --git a/manifests/virt-controller.yaml.in b/manifests/virt-controller.yaml.in
@@ -21,7 +21,7 @@ spec:
       labels:
         app: virt-controller
     spec:
-      serviceAccountName: kubevirt
+      serviceAccountName: kubevirt-infra
       containers:
       - name: virt-controller
         image: {{ docker_prefix }}/virt-controller:{{ docker_tag }}

diff --git a/manifests/virt-handler.yaml.in b/manifests/virt-handler.yaml.in
@@ -9,6 +9,7 @@ spec:
       labels:
         daemon: virt-handler
     spec:
+      serviceAccountName: kubevirt-infra
       hostPID: true
       containers:
       - name: virt-handler